From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Thu, 30 Apr 2026 14:44:45 +0000 (+0200)
Subject: TEST-70-TPM2: Test the key_file + tpm2-device= combo
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F41892%2Fhead;p=thirdparty%2Fsystemd.git

TEST-70-TPM2: Test the key_file + tpm2-device= combo

When key_file is passed along with tpm2-device= to systemd-cryptsetup, the
logic is to try the blob as a TPM blob first, and then fall back to trying the
file as a regular key file. Check that this fallback works.
---

diff --git a/test/units/TEST-70-TPM2.cryptsetup.sh b/test/units/TEST-70-TPM2.cryptsetup.sh
index 5a7f0facfcc..a40f7396892 100755
--- a/test/units/TEST-70-TPM2.cryptsetup.sh
+++ b/test/units/TEST-70-TPM2.cryptsetup.sh
@@ -57,8 +57,9 @@ IMAGE="$(mktemp /tmp/systemd-cryptsetup-XXX.IMAGE)"
 
 truncate -s 20M "$IMAGE"
 echo -n passphrase >/tmp/passphrase
+echo -n wrong_passphrase >/tmp/wrong_passphrase
 # Change file mode to avoid "/tmp/passphrase has 0644 mode that is too permissive" messages
-chmod 0600 /tmp/passphrase
+chmod 0600 /tmp/passphrase /tmp/wrong_passphrase
 cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase
 
 # Unlocking via keyfile
@@ -237,4 +238,11 @@ EOF
     rmdir /tmp/dditest
 fi
 
-rm -f "$IMAGE" "$PRIMARY"
+# Key file can contain a TPM blob but in case it doesn't fallback should also work.
+systemd-cryptsetup attach test-volume "$IMAGE" /tmp/passphrase tpm2-device=auto,headless=1
+systemd-cryptsetup detach test-volume
+
+# Negative test: invalid passphrase should not work.
+(! systemd-cryptsetup attach test-volume "$IMAGE" /tmp/wrong_passphrase tpm2-device=auto,headless=1)
+
+rm -f "$IMAGE" "$PRIMARY" /tmp/passphrase /tmp/wrong_passphrase